"It appears that it's an Apple issue," Soltani told Ars, referring to the inability to enable HTTPS when Apple's Address Book is updated to a user's Gmail account. "Their other products support Gmail via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem."

Once the current version of Address Book is configured to sync with Google's popular e-mail service, the Apple app checked in about once an hour on Macs Soltani tested. Any time the app contained an address not found in Gmail, it would send the data unencrypted. Interestingly, the program uses the HTTPS protocol to cryptographically authenticate the machine advertising itself as a Gmail server, but the app goes on to send the addresses in plain text over an unencrypted HTTP connection, he said.

According to The Washington Post, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, and 33,697 from Gmail during a single day last year. The comparatively low number of contact lists acquired from Gmail is noteworthy considering it is among the most widely used online e-mail services. A key contributor to that low rate is almost certainly Google's default use of HTTPS to encrypt e-mail traffic. Soltani said the protection is not available unless applications that connect to Gmail support encryption. The application programming interface (API) that makes that capability possible is missing from Apple's address book, he added.

"There's still a lot of areas where developers just rely on insecure APIs, and this data shows that," he told Ars. Soltani said he found no evidence that Thunderbird and other popular apps didn't provide a way to encrypt data when working with Gmail.

Cryptography expert and security analyst Bruce Schneier said in a recent blog post that NSA spies acquire the address lists by tapping the Internet backbone.

"Once they have the data, they have powerful packet inspectors—code names include TUMULT, TURBULENCE, and TURMOIL—that run a bunch of different identification and copying systems," he wrote. "One of them, code name unknown, searches for these contact lists and copies them. Google, Yahoo, Microsoft, etc., have no idea that this is happening, nor have they consented to their data being harvested in this way."

Apple representatives didn't respond to an e-mail seeking comment for this post.

Given that Gmail will quite happily hand over the entire address book to the NSA anyway, I fail to see the extra privacy 'harm' caused by this.

The main problem is you don't need to be the NSA to pop Kisemt in that Starbucks and sniff out all Address Book traffic around. After that it will be much easier to make a targeted social engineering attack against people in that Address Book.

It's like to say "As the NSA can pick my house's door I won't lock it anymore".